27 replies to this topic

[Simon]

Internal audits and pastures new?
By Allan J. Sayle, President Allan Sayle Associates

A matter raised almost in passing by Jim Wade (of the Business Improvement Network, based in the UK) in a post on the Saferpak Discussion Forum is significant to quality professionals, business and the entire ISO 9000 standards, training and certification industry. Not because of the actual message he posted, but because of its ramifications. It would seem to me we are probably witnessing the first signs of what Joseph Schumpeter would describe as a 'perennial gale of creative destruction.' Something new is happening and it could well sweep away many features of present day quality programs and the services offered to organizations. The underlying concepts are not 'new' in that certain features were described some time ago. What is 'new' is that it seems some companies are acting on them and, I believe, they are the vanguard for thousands of others that could follow.

Read Full Article:
Internal audits and pastures new?

Regards,
Simon

Attached Files

•  Internal_audits_and_pastures_new.pdf   221.15KB   119 downloads

[Jim Wade]

Blimey - 25 pages!

I'll get back when I have found time to read it. My response will be shorter.

rgds

Jim

[Simon]

My simplistic and unworthy answer to Allan's very detailed and informative paper is that I am sure Process Reviews are a very good idea. However, I am less sure whether they are a substitute for internal audits and even less sure whether PR's should be allowed to be accepted as such by Certification Bodies (Registrars). That said it has been confirmed to Allan by an Accreditation Body that one CB is indeed accepting Process Reviews as a substitute for internal audits as part of their clients ISO9001:2000 Certification.

As to whether this is right? Wrong? Legal? Ethical? I really am unsure.

Thanks for a great piece of writing Allan.

Regards,
Simon

[Jim Wade]

Allan

I really think the piece could do with an executive summary. I attempted to write one, but I couldn't complete it because I'm unsure what your main message(s) are.

My view:

ISO 9001 is open to wide interpretation. That's because it isn't, and doesn't need to be, a standard - see this article: http://www.bin.co.uk/IMS_May_2002.pdf

Any interpretation is OK that meets these criteria:

1) It strengthens an organisation with regard to improved adoption of accepted good management principles and practice as laid out in, for example, the eleven standards and technical reports that make up the ISO 9000 family, the excellence models and the Balanced Scorecard.

2) It meets the requirements of the organisation's stakeholders.

3) It meets the requirements of ISO 9001 (if a certificate is required).

The emerging creative approaches to 'internal auditing' are examples of interpretation which, in my opinion, meet the first two criteria and, in the opinion of professional and official certifiers and accreditors, also meet the third.

So what's the problem?

Edited by Jim Wade, 19 April 2005 - 10:34 PM.

[Simon]

Whether ISO 9001:2000 is or isn't a Standard is not the issue on the table. ISO 9001:200 is called an 'International Standard' and contains 'Quality Management systems - Requirements' some of these requirements are contained in clause 8.2.2 Internal Audit, which is not a clause on the permissible exclusions list.

EN ISO9001:2000

8.2.2 Internal Audit

The organization shall conduct internal audits at planned intervals to determine the quality management system

a. conforms to planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b. is effectively implemented and maintained.

An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits.  The audit criteria, scope, frequency and methods shall be defined.  Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.  Auditors shall not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.

The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes.  Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8.5.2).

NOTE See ISO 10011-1, ISO 10011-2 and ISO 10011-3 for guidance.

If an organisation does not do the above should they still be able to hold the certificate?

Regards,
DA

[Jim Wade]

If an organisation does not do the above should they still be able to hold the certificate?

<{POST_SNAPBACK}>

No, they shouldn't.

In the case of the two companies identified in Allan's article, their approach to internal auditing is to meet the requirements of 8.2.2 in new and creative ways - without doing internal auditing as is conventionally taught and practiced.

Lets face it, if they didn't meet the requirements, they wouldn't have been given a certificate.

Would they?

[Simon]

Lets face it, if they didn't meet the requirements, they wouldn't have been given a certificate.

Would they? 

Yep…you're right. I can't argue with that.

Regards,
Simon

[allanj]

No, they shouldn't.

In the case of the two companies identified in Allan's article, their approach to internal auditing is to meet the requirements of 8.2.2 in new and creative ways - without doing internal auditing as is conventionally taught and practiced.

Lets face it, if they didn't meet the requirements, they wouldn't have been given a certificate.

Would they?

<{POST_SNAPBACK}>

If registrars are to begin the practice of not awarding certificates to companies that do not meet "the requirements" [of ISO 9001 etc.] they would not award a certificate having open CARs etc. They would also begin withdrawing certificates from those found to have developed CAR issues. In that case I suspect the total number of registered firms would appraoch single figures as opposed to the alleged several hundred thousand.

The interpretations of any standard that matter are those agreed between customer and supplier: not between registrant and registrar. the need for any standard to apply either as guide or mandate is a matter between customer and supplier; not registrant and registrar.

Ethics have never been a prime issue of the quality standards and I would be highly amused if registrars were required to judge on matters of ethical conduct given their sad history of performance, willingness to be negotiated or threatened out of accurately recording what their clients might view as unacceptable, their willingness to continuously reduce the calibre of "auditor" assigned" the quality of training given, the time taken to perform the audit and so forth - all matters central to the position of trust to which they are appointed and for which they invoice.

I am personally disinterested in the fate of registrars. What I found interesting were the ramifications of the "precedent" set by a registrar accepting PR as an acceptable form of internal auditing for the purposes of complying with ISO 9001:2000. My article was lengthy simply because I feel the subject is of such importance that it merited a fuller analysis and discussion. I do not think "sound bite" discussion will be helpful because the quality movement has spent too much time and too many years advocating particular courses of action that management will be highly disenchanted if it was to be persuaded (rightly) to change the present course of action without a full understanding of the argument and reasoning.


As an executive digest one could simply say: "A precedent set by a particular registrar for the purposes of registering to ISO 9001: 2000 may point to the preference for abandoning "third party" registration, moving instead to "self certification" with the possible use of ISO 9001:2000 as a guide. The future direction of mtually agreed relationships between customers and suppliers are described. In light of that precedent, alternatives to present day internal audit programs, auditor training and certification are discussed and management is advised to swiftly take advantage of the precedent."

As a digest for the registration industry et al one might suggest, "A precedent decision made by a registrar could unleash a gale of change such that the good old days will soon be behind you."

[Jim Wade]

If registrars are to begin the practice of not awarding certificates to companies that do not meet "the requirements" [of ISO 9001 etc.] they would not award a certificate having open CARs etc. They would also begin withdrawing certificates from those found to have developed CAR issues. In that case I suspect the total number of registered firms would appraoch single figures as opposed to the alleged several hundred thousand.

<{POST_SNAPBACK}>

I agree, Allan.

Hence my winky smiley. You wonder sometimes if any certificated system meets the requirements!

The root weakness, of course, is that the idea of a generic standard for a QMS is deeply flawed. As is the notion of a QMS itself. As is the very concept of 'quality' as conventionally taught. IMO

All that can be done (until the certification situation is cleaned up - if that is ever to happen) is to try to ensure that any firms we deal with not only meet all the 9001 requirements [if they insist on having a certificate] but also (and much more importantly) that they implement management systems that support and improve the business for all stakeholders.

What sort of reactions are you getting to the article? I was disappointed to see the paucity of response at the C*#!.

rgds Jim

[David Hoyle]

Allan & Jim
In view of the debate you are having and the fact that I know you both quite well (Allan for some 20 yrs) I could not resist contributing my twopence.

I read 6 pages of Alans paper and tried searching on process audit or definitions etc but drew a blank. Allan appears to say that

If the 'reviewer' is independent of the process, fully understands the process approach, fully understands the process itself, works systematically, is properly prepared for the PR, is able to find root causes of whatever problems might be discovered, can demand effective corrective action, and will not allow work to proceed further unless and until such action is taken and verified as effective then, yes, equivalent practices are used.

I would take issue with Allan's statement.
ISO 9001 does not require the auditor to be independent of the process or activity - only that they do not audit their own work. Therefore a process 'owner' or 'manager' could audit/review his/her process and be compliant.

'Understands the process approach'

Here Allan and I may cross swords because while I agree he did introduce the task element approach in the 1970s I don't regard this as the process approach (unless of course he has changed it from his writings of the 1980s) because it is task focussed not objective focussed. Auditors do follow a sequence of activities, an audit trail but this is not process auditing, it is transaction auditing. Process auditing is about establishing that there is a process in place to achieve defined objectives, that these objectives align with the needs of the stakeholders and that they are being achieved by an effectively management process.

'will not allow work to proceed further' 

Here Allan is suggesting that internal audits are controls. Which in my experience is not correct except for product audits where stock is held until the result of the audit are released. Internal audits are different. They might look at work that is currently being done but often they look at work done long ago and are not intended to act as a break on the process.

But the bottom line is surely what the audit or review sets out to achieve. If it can be demonstrated that the organization delivers outputs that satisfy the stakeholders and that there is in place a regime of activities that ensure the processes are not only delivering the right outputs but in the best way and that the outputs are periodically reviewed against stakeholder needs - what else do the certification bodies need?

If the organization cannot demonstrate it has the capability of satisfying its stakeholders and managing its processes effectively it should not be awarded the certificate anyway but thousand of organizations are which is why ISO 9001 cerrtification has been devalued.

Am I right or am I right?

Best reagrds
David

[Jim Wade]

ISO 9001 does not require the auditor to be independent of the process or activity

<{POST_SNAPBACK}>

That's true, David.

ISO 9000/3.9.1's definition of an audit does say that it should be an independent process - and the meaning of that is (like so much in these so-called standards) usefully open to interpretation.

rgds

Jim

[Wallace Tait]

David,
Good post, it gets the debate started.

I have advocated Allan's "Task Element Approach" for some years now. The Element approach is IMO an excellent format for infusing systems thinking in relation to a business system that supports product and/or service.

There tends to be an assumption that the ISO standards negate and are superior to the Element approach regarding auditing/assessing, I totally disagree.
Allan created, defined and published the Task Element Approach some years ago and, it's very clear, his work has influenced the body of knowledge within the quality arena.

I firmly believe the Task Element Approach (aka the Process approach) encourages and infuses system thinking. After all we are for the most part assessing our business and operational systems and, system efficacy is very efficiently managed and measured using the Task Element Approach.

Within this forum thread, I believe you shall be able to view a number of visuals I posted relating to Allan J Sayle's process approach. Feel free to view, study and offer you feedback regarding their usability within a business management system?
I personally have had great success with the Task Element Approach.
Wallace.

[Jim Wade]

Wallace

If I understand correctly the mindmap you reproduced shows the elements of a process as person, item, equipment, service and information.

ISO 9001 (with a little help from ISO 9000) suggests that the elements of a process are:

Planning
sequence (4.1b)
interaction [identification of inputs & outputs] (4.1b & 4.2.2c [& 9000:3.4.1])
planning information (4.2.1d)

Operation
operational criteria (4.1c)
operationai methods (4.1c)
process measures (4.1e)
measurement methods (8.2.3)
operational resources (4.1d)
operational information (4.1d & 4.2.1d)

Analysis
process analysis methods (4.1e)
characteristics information (8.4c)
trends information (8.4c)

Control
process control criteria (4.1c)
process control methods (4.1c)
process monitoring methods (8.2.3 & 4.1e)
demonstration of capability (8.2.3)
process monitoring information (4.1d & 4.2.1d))
process monitoring resources (4.1d)

I'm having trouble reconciling these two views without (as I think David is implying) forming an opinion that the Task Element Approach is more to do with procedures than with processes. Certainly, its name strongly suggests that this is so.

This is just an impression - I haven't compared the two views in great detail.

Comments?

rgds Jim

Edited by Jim Wade, 30 April 2005 - 08:52 AM.

[Jim Wade]

Oh, and by the way, if anyone is confused as to the difference between a process and a procedure, don't ask the American Society for Quality (ASQ).

Their definitions, last time I looked, are:

Process: a set of interrelated work activities characterized by a set of specific inputs and value added tasks that make up a procedure for a set of specific outputs

Procedure: the steps in a process and how these steps are to be performed for the process to fulfill customer's requirements.

This is nonsense. It means that a process is a set of activities in a procedure, while a procedure is a set of steps in a process.

rgds Jim

Edited by Jim Wade, 30 April 2005 - 12:21 PM.

[Wallace Tait]

Yeah,
The definitions and meanings of process and procedure has become rather blurred and confused here in North America.
One of the fist things I do regarding assessment of an organization is to: ask for their particular organizational definitions and interpretations of terminologies that are common to quality systems and business in general.
I take the simplistic approach:
A process is what we do and a procedure is how we do it, it's really that simple at the base level of understanding.
By the way, most of the assessments I have managed or taken part in, have been in a non ISO environment. This non ISO environment has generally been made possible by the complete failure of ISO within these particular Business systems. For the most part, the ISO failure has been noted more often in the manufacturing environment.

The Task Element Approach: Created, named and developed by Allan J Sayle is, IMO as relevant today as it was when first published. Should the name be changed if we are going to call it "The Process Approach"? Well it's rather difficult to do that as, a particular defined process approach is apparently ingrained into the current ISO definitions and practices (Or is it??). Regardless of an assumed name change, we are still dealing with tasks and elements.

I personally look at and, assess business systems for potential improvements based on the measureables of the Task Elements (TE). Taking into consideration that many organizations are now adapting and adopting an independent yet interdependent approach to business in relation to systems thinking; I firmly believe the TE's are almost perfectly aligned to systems thinking.
The most important element to business is obviously people (Employees) and, the TE approach enables us to look at this first and establish a measure of personnel. The other elements of item, Equipment, Information and Service are independent yet interdependent of each other. The TE's make up for the most part, a system of assessment and measurement that can infuse and enforce system and process improvements.
The tendency is to look at the semantics of the Task Elements and compare them to the ISO standard such as 9001 and/or 9004. As good as standards and benchmarks are, I firmly believe Allan created and developed a relevant system of assessment and measurement that can indeed be easily aligned to and with many standards in use.
The possible Caveat may be, the reality that the Task Element Approach must needs, allow itself to further develop or evolve according to current and future developing needs of potential avenues of use for the TE approach.

Wallace.

Edited by Wallace Tait, 30 April 2005 - 10:53 PM.

[allanj]

The discussion has drifted away from the substance and thrust of the article I wrote to the point of irrelevance to the issues I raise.

[Simon]

Yes chaps we appear to have drifted somewhat from the original thread. If you wish to continue discussing the task element approach, process v procedure etc. I can split the topic off - someone send me a PM.

For those of you who have taken the time to read the article let us hear your thoughts on the notion of process reviews as a replacement for internal audits.

1. Process reviews - are they a good idea?
2. Do process reviews comply with ISO 9001:2000?
3. Your thoughts on self-certification?
4. The affect of the above on the registration (certification) industry?
5. What should be the position of ISO and the TC Committee?
6. Where next?

Regards,
Simon

[Franco]

Oh, and by the way, if anyone is confused as to the difference between a process and a procedure, don't ask the American Society for Quality (ASQ).

Process is preparing a Christmas pudding. The procedure is the recipe.

To get a good Christmas pudding I have to evaluate my suppliers of raw materials, need proper equipment and training and so on.

Just my two pennies, Jim.

[Jim Wade]

Well, I'll kick off.

2. Do process reviews comply with ISO 9001:2000?

Of course.

ISO 9001 advises us to carry out such reviews when it informs us that [the process approach] emphasizes the importance of continual improvement of processes... and that the check part of the PDCA cycle should monitor and measure processes ... and report the results

And it requires such reviews by telling us that input to management review shall include information on process performance and output from the management review shall include any decisions and actions related to improvement of the effectiveness of ... processes.

Clauses 8.2.2 and 7.1 make it clear that the main target of an 'internal audit' is the organisation's product realisation processes. So 'internal audit' is just a shorthand for 'review of the plans for, and performance of, product realisation processes'.

Note.: I am not talking here about anybody's opinion on what is good auditing practice, just about what the so-called standard' actually says - and the ways in which that can be interpreted for business benefit.

rgds Jim

[Simon]

So how does the Standard need to change? Red rag to a bull...

Regards,
Simon

[Jim Wade]

So how does the Standard need to change?  Red rag to a bull...

Regards,
Simon

<{POST_SNAPBACK}>

I don't think it needs to change at all, Simon - except perhaps to tidy up some of the sloppy wording. Consider, for example, this priceless rubbish:

7.2.1d) The organization shall determine any additional requirements determined by the organization.

The ISO 9001 document is pretty much OK. What really needs to change, IMO, is the poor behaviour that stems from it being misrepresented as a 'standard'.

rgds Jim

Edited by Jim Wade, 03 May 2005 - 09:35 PM.

[allanj]

There seems to be a fixation in the "quality world" that a solution to problems might be to "fix" or "change" the standard. I see no reason why "the standard" should be changed. My article deals with with the ramifications (as I speculate they might occur) of a registrar precedentially accepting PR as an acceptable surrogate for internal auditing for the purpose of compliance. But, more crucially if customers and suppliers wish to get more closely involved this may herald a return to the days of multiple assessment. This would have some dramatic consequences for the registration industry. Changing the standard would not achieve anything if we enter an era of customers NOT mandating registration as a condition of contract (which I hope is an incipient event).

I believe self certification to a guideline standard is perfectly acceptable and should be encouraged.

I also believe there is now substantial evidence that when customers and suppliers work closely together both organizations benefit more than they would through worrying about registration/ ISO 9K et al. As a notable example:this morning, the latest car sales figures in USA for last month show Toyota increased its sales 36% in the last 12 months. A shining example of what true partnership and working together can do. Whereas, both GM and Ford lost further ground. QS and TS came from the old Big Three. The new Big Three (Toyota, Honda and Nissan) seem to prosper very nicely thank you adopting the more cooperative way with their suppliers. NKUK is also a Japanese firm, I understand.

I also think management is wearied of the tedious arguments and word-smithing that is rampant in "quality" these days. (Jack Welch certainly indicated as much in his memoirs). And my article muses on whether or not NKUK etc are heralds of change in our (that is "quality's) customers' policies/ practices.

If the old model of compelling registration and compliance with a quality standard is passing, why should the quality profession mourn?

If our market is signalling it wants a different "service" from the quality profession, we must heed what it is indicating and adjust accordingly. Perhaps we should reflect quality departments have been dramatically downsized over recent years. But, if our paymasters now want closer working with suppliers, maybe our numbers will increase again? Of course, the calibre of people will be crucial for the success and effectiveness of "post ISO9K" quality departments.

And there are quite a few good people working for registrars who could rejoin businesses and shine under those situations.

As Eric Williams, past Chairman of Council at the IQA used to remark, we must discuss substantive issues. I believe the possibility of a nascent post ISO 9K world is one such topic. That is why I posted my article on the Web - as I explain within it.

[Simon]

Hello Allan,

There seems to be a fixation in the "quality world" that a solution to problems might be to "fix" or "change" the standard. I see no reason why "the standard" should be changed.

It's not a quality problem as such Allan; if PR is an accepted display of innovative best practice then this should be fed back into the continual improvement process of the Standard - that is if we are to continue with and improve upon the Standard.

Changing the standard would not achieve anything if we enter an era of customers NOT mandating registration as a condition of contract (which I hope is an incipient event).

Is there any evidence to suggest this is or might be happening? Or is it just a hope?

I also believe there is now substantial evidence that when customers and suppliers work closely together both organizations benefit more than they would through worrying about registration/ ISO 9K et al. As a notable example:this morning, the latest car sales figures in USA for last month show Toyota increased its sales 36% in the last 12 months. A shining example of what true partnership and working together can do. Whereas, both GM and Ford lost further ground. QS and TS came from the old Big Three. The new Big Three (Toyota, Honda and Nissan) seem to prosper very nicely thank you adopting the more cooperative way with their suppliers. NKUK is also a Japanese firm, I understand.

I'm interested in hearing the evidence that suggests GM and Ford do not participate with their suppliers as much as Toyota et al. Are your conclusions based upon their reliance on QS/TS?

If it is so then how much does Toyota's closer participation with suppliers contribute to the increase in Toyota sales? Is it possible that Toyota have better marketing?

If the old model of compelling registration and compliance with a quality standard is passing, why should the quality profession mourn?

If it so you won't catch me crying.

Regards,
Simon

[allanj]

this should be fed back into the continual improvement process of the Standard – that is if we are to continue with and improve upon the Standard.
Is there any evidence to suggest this is or might be happening?  Or is it just a hope? 

What should or should not happen to the standard depends on what our customers (paymasters) want. My article muses on what Mr Wade said is happening at certain firms he mentioned. A certification body has confirmed to me that PR has been accepted by a registrar as acceptable. Beyond that, I do not know but would like to watch what happens.

I’m interested in hearing the evidence that suggests GM and Ford do not participate with their suppliers as much as Toyota et al.  Are your conclusions based upon their reliance on QS/TS?

If it is so then how much does Toyota’s closer participation with suppliers contribute to the increase in Toyota sales?  Is it possible that Toyota have better marketing?

It is a matter of closeness and style. I hear from very direct sources that suppliers over here prefer dealing with Toyota and other Japanese car makers in preference to the old Big Three because of the common propensity for the latter to constantly "beat up" their suppliers and be unpleasant to work with. It is quite common to hear folk saying words to the effect that Toyota while being explicit and demanding about their requiremnents and expectations do treat their suppliers with respect. In January (or thereabouts) of this year, local business media reported suppliers to the old Big Three estimate it costs about 8% more to work with the latter than with the others. As to marketing, one cannot dismiss the old wisdom that excellent products sell themselves as word spreads they deliver great value for money. The level of recalls that plague the old Big Three is most disturbing.

But, I am now digressing from the subject of my article. Apologies.

[Simon]

But, I am now digressing from the subject of my article. Apologies.

<{POST_SNAPBACK}>

Yes we are.

Anyway back on track, based mostly on anecdotal evidence my feeling is that ISO 9000 and the industry it supports is packing off to the East. We in the west have wised up and as is the case with tobacco we know it doesn't do us any good. With just a little bit of willpower we can live without it.

Regards,
Simon